Today I found a spam link that simulated being a Facebook photo (http://bit.ly/facebook_photo_*****.jpg), the interesting thing about the case is the number of people who clicked on it and the camouflage technique used. It was spreading mainly by email, instant messenger and Facebook, these are the numbers:
The link received almost 40 thousand clicks, the destination was a .EXE file It was downloaded from Rapidshare, at the time of writing this post the file was already deleted:
The use of shorteners to hide links is a common practice of spammers, but in this case they used two services, as you can see in the following screenshot, the actual destination of the spam link is another short link:
East second link is the one that redirects towards the malicious download, for the user it is the same since it happens instantly.
Most antispam filters have the ability to read the actual destination of short links, at least from the more popular services (bit.ly, tinyurl.com, goo.gl, etc.) but when two short links are used as in in this case some lose effectiveness.
The following is an example of what happens with the WOT plugin. In the capture you can see 3 short links pointing to a site with a low reputation:
The first two links are marked as dangerous, this is correct because the destination of both is an unreliable site. However, the third link whose final destination is the same as the previous ones, is marked as safe (green circle).
– Tinyurl + spam site = detected– Bit.ly + spam site = detected– Bit.ly + Tinyurl + spam site = not detected
This happens because WOT follows the first link but not the second one, what you are considering as secure is the tinyurl.com domain. Similar detection failures occur with other filters and plugins, the problem is even greater given the number of services that exist to shorten links and the ease with which they can be created.